Skip to main content
OCLC Support

Configure CONTENTdm with SSL to support HTTPS

  1. Last updated
  2. Save as PDF
Find information about SSL support for custom CONTENtdm URLs.

SSL support for custom CONTENTdm URLs

If you have configured a custom CONTENTdm URL on your institution’s domain, you must take action to configure it to work with HTTPS. Without HTTPS support, your users will get warnings that your CONTENTdm site is not secure.

To configure your custom CONTENTdm URL for HTTPS, OCLC enters information about your custom CONTENTdm URL’s SSL certificate into its systems. Information about your SSL certificate is stored in a PKCS #12 file.

Your IT staff must generate your PKCS #12 (or .p12 or .pfx) file, as it requires access to your private encryption keys and SSL certificate files. The organization from which you purchased an SSL certificate typically will provide tools to generate a PKCS #12 file for sharing.

 Note: 

  • OCLC cannot procure or purchase an SSL certificate for a custom CONTENTdm URL in your institution’s domain.
  • OCLC cannot generate this PKCS #12 file for you. Some websites suggest that you must generate the PKCS #12 file on the machine where you will install it. This is not true. The PKCS #12 file can be prepared on any machine or operating system.
  • Do not send any files to OCLC besides your PKCS #12 file. Sending your private key file or any associated SSL certificate files to anyone is a grave security risk for your institution.
  • Do not send a Certificate Signing Request (CSR) to OCLC or ask OCLC staff to generate a CSR for you. OCLC does not provide CSR services. Like PKCS #12, a CSR does not need to be generated on the web server running CONTENTdm.
  • CONTENTdm runs on an Apache server.

Or you may want to take the easy path described in Custom CONTENTdm URLs.

Your IT staff can generate a PKCS #12 file using the OpenSSL command on any machine that has access to your private keys. For a hypothetical CONTENTdm site domain, digital.hawkins.edu, the command line options to generate the corresponding PKCS #12 file are:

openssl pkcs12 -export -out mycert.p12 -inkey hawkinspkey.pem -in
digitalhawkinscert.pem -certfile intermediatecert.pem

In the above example, mycert.p12 is the file name of the encrypted PKCS #12 file. Your PKCS #12 file is the only thing that you should send to OCLC.

The other files used in this command are:

  • hawkinspkey.pem: the private key file
  • digitalhawkinscert.pem: the domain certificate file
  • intermediatecert.pem: the certificate file that associates the domain certificate with the root certificate authority (CA)

Common areas of difficulty in SSL certificate creation and management include accessing the private key and generating the CSR, since the CSR references the private key. Either your SSL provider will provide you with a private key, or you can generate your own. Always protect outside access to your private key. As long as the private key used in your CSR matches the private key used when the SSL and intermediate certificates are generated, then everything should work. Your SSL provider may give you an online tool to generate the CSR and private key, or you can use OpenSSL to generate one. The OpenSSL command to create a CSR would look like this:

openssl req -nodes -newkey rsa:2048 -sha256 -keyout example.key -out example.csr

If your SSL provider gives you individual .crt or .pem files or a package file like .p7b (PKCS #7), you have some of the individual component pieces of the PKCS #12 package.

Once you get your p12/pfx file, test it from the openssl to verify it is able to be opened before submitting it to Support:

openssl pkcs12 -info -in mycert.p12

Also, if your p12/pfx file requires a password to open, please provide the password to Support in addition to your p12/pfx file.

 Note: Be certain to track the expiration date of your SSL certificate. When the certificate is about to expire, you will need to regenerate the certificate and send a new PKCS #12 file to OCLC to continue accessing your CONTENTdm site.

Please start preparing the new PKCS#12 file early, at least a month before the expiration date. Submit your new PKCS#12 file to OCLC Support no later than 2 weeks before the expiration date. Otherwise, you risk losing secure access to your website.

Or you may want to take the easy path described in Custom CONTENTdm URLs.

Once you have created your SSL certificate, follow the instructions described in Advanced: Use a URL in your institution’s domain to complete the process.